How to use both FileVault2 and Bitlocker simultaneously on a dual-boot Mac running bootcamp

I am the proud owner of a beautifully noisy drive.

A noisy drive?!?!?!!!! Get your data off that before it dies!!!

Thanks for the concern but I’m not taking about that kind of noise.

Oh, did you get a HDD stepper to play music??

No but I think the imperial march and still alive are my favourite step-step songs.

That fine, if you don’t want to tell me I’ll go to another blog

Ok, Ok. This post is about something I have been wanting for ages and didn’t think was possible. This shows how to use both FileVault 2 and Bitlocker simultaneously on a multi-boot mac (running bootcamp). The noise I’m referring to is the pseudorandom noise of an encrypted drive (FDE) :D

What’s so special about that? Is this not an easy thing to do?

No, generally it is not possible to do this due to some good design choices both Apple and Microsoft (and other encryption providers) have employed mixed with a silly one that Apple have made.

The Microsoft and Apple boot providers require a boot loader to remain on  an unencrypted volume which then provides an mechanism to access the protected , encrypted, partition. So to use FDE on either of these Operating Systems you need 2 primary partitions. Legacy partition tables use MBR to describe the  layout of the partition scheme. This partition scheme has a limit of 4 primary partitions.

Can we not just use those four primary partitions?

Nope as the Mac has a recovery partition that you need to keep intact so there there are 3 primary partitions available. This means that typically only on of these operating system can enjoy FDE (and I’m not using containers in a OS, that’s too leaky…).

Are we going to time travel and change some specs???

Nope, luckily for us the Mac uses 2 partition tables. One is GPT and the other is MBR.

The MBR partition is used to boot the Mac encrypted boot loader which in turn provides access to the encrypted Mac partition from the GPT table.

When loading the Windows/Bootcamp parition the MBR is used to determine the availability of the windows encrypted boot loader which in turn uses the MBR to access the encrypted windows partition.

This means for a dual boot fully encrypted system we only need 3 partitions listed in the MBR. Normally the MBR partition is just a clone of the GPT one which is where the problem lies.

Happily we can use some ancient tools to edit these manually and allow dual boot of fully encrypted operating systems, while keeping our beloved restore partition.

Ok, how?

The process is as follows:

<disclaimer: this guide is provided as is, and has no warranty. If you  suffer data-loss, damage etc then this is your responsibility so be a mature person and accept that>

  • Partition the disk using the Disk utility in OS X
  • Enable Filevault
  • Reboot
  • Get a list of partition parameters from the GPT partition table
  • Erase and recreate the MBR table, including only the windows partitions and the Mac encrypted loader partition
  • Run the windows installer
  • Edit the windows recovery/encrypted loader partition
  • Install windows
  • Allow TPM-free bitlocker use
  • Enable bitlocker
  • Smile

    Partition the disk using the Disk utility in OS X

    Reduce the size of the OS X partition to make room for windows, here I am giving OS X 98GB

    1

    Then create 2 new partitions:

    • One for the windows partition
    • One for the Bitlocker boot loader (around a 200 MB – 1gb)

    2

    Enable Filevault and Reboot

    Go to System Preferences > Security & Privacy > [Filevault] and turn it on. Remember to responsibly store your recovery key, mine is on an encrypted backup…. not stored with Apple.

    3

    Then reboot to enable/verify the encryption.

    Get a list of partition parameters from the GPT partition table

    Open the terminal and run the following command to get the details of the GPT table.

       1:  sudo gpt -rv show -l disk0

    5

    Take note of the start point, size and type of partition.

    Erase and recreate the MBR table, including only the windows partitions and the Mac encrypted loader partition

    The windows partitions and mac encrypted loader are the items at indexes 1, 4 and 5. On your system this may differ but index 1 should remain the same.

    Go to a terminal and open fdisk in edit mode

       1:  sudo fdisk -e /dev/disk0

    Erase the MBR table

       1:  erase

    Add a new table and then a new entry for the mac bootloader

       1:  add 1

    Edit this partition to match the OS X encrypted loader partition, the details are from index 1 above but should be identical to this (as of OS X 10.9 in a standard scenario)

       1:  edit 1
       2:  Partition id : EE
       3:  CHS mode : no
       4:  Partition offset: 1
       5:  Partition size:  409600

    Then add the first windows partition, I got the offset and size from index 4 above – this will be different on your systems so pay attention to YOUR start and size parameters and ensure its the the correct windows partition.

       1:  edit 2
       2:  Partition id : 07 
       3:  CHS mode : no
       4:  Partition offset: 193085424
       5:  Partition size: 296059568

    Now add the second windows partition, I got the offset and size from index 5 above – this will be different on your systems so pay attention to YOUR start and size parameters and ensure its the the correct windows partition.

       1:  edit 3
       2:  Partition id : 07 
       3:  CHS mode : no
       4:  Partition offset: 489407136
       5:  Partition size: 827576

    Then write the MBR table using the command

       1:  write

    When you issue the print command a table similar to the following will be displayed (the exact details will be different as appropriate for your disk layout)

    6

    Now that the tough stuff is done we only need to install windows, pop in a windows install disk and do the following.

  • Reboot the machine and run the windows installer
  • Edit the windows recovery/encrypted loader partition – format it
  • Install windows
  • Allow TPM-free bitlocker use

    Open the group policy editor by running gpedit.msc

    In the group policy editor open:

    Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.

    Then open the entry for Require additional authentication at startup

    This will bring up an editor for this policy where you can enable the option by clicking the Enabled radio button and then on the options panel click the  Allow BitLocker without a compatible TPM  checkbox.

  • Enable bitlocker
  • Smile

    Enjoy your dual-boot, encrypted work-capable machine :)


  • Leave a Reply

    Your email address will not be published / Required fields are marked *

    sLf3vk

    Please type the text above: